Provide generic analyzer for custom security scans
Problem to solve
We often get requests to customize our ~Secure analyzers for sast and dependency scanning, for example https://gitlab.com/gitlab-org/gitlab-ee/issues/6239. This can often be difficult to support given the variety of tools we utilize and the variations on rulesets customers desire.
Many of our underlying tools do not provide a way to customize their behavior which requires us to either contribute upstream to them or modify their behavior. As such, we should consider a generic pattern-matcher which customers can utilize to scan for a predefined set of rules. This would be disabled by default but can be enabled with an additional job definition and inclusion in the
DEFAULT_ANALYZERS ENV configuration
(SAST is simpler, so initially ignoring dependency scanning )
generic analyzer that wraps a regex engine. this analyzer requires input configuration of a regex rule list and scans a project for the given patterns. It also accepts a configurable severity level, confidence level, and scanner name in order to report the findings more precisely.
docker run \ --interactive --tty --rm \ --volume "$PWD":/tmp/app \ --env CI_PROJECT_DIR=/tmp/app \ --env RULELIST=./my_custom_regexes.toml \ --env DEFAULT_SEVERITY=high \ --env SCANNER_NAME="Custom Java Scanner" \ registry.gitlab.com/gitlab-org/security-products/analyzers/generic:12-1-stable /analyzer run
Permissions and Security
What does success look like, and how can we measure that?
Customers can enable an analyzer with a simple
TOML configuration. This allow their scans to track findings outside the scope of our default analyzers.
Customers do not need to create custom images or compile analyzers in order to use custom rulesets.